Malwarebytes Anti-Exploit

I agree with you, fully. That MPC-HC issue is unimportant for SBIE still protecting standalone, or MBAE alone.

 

I don't have any problems with MBAE, and MPC. I do have problems with HMPA giving false positives with MPC on Windows 7X64. The alerts happen at random so its hard to reproduce. HMPA will alert me to HeapSpray attack, and I can play the same video again without any alert. I don't use Sandboxie.

 

Thank you for reply.
I wrongly thought it is not protected cuz usually if I tried to add already protected program, MBAE warns about this. In FlashPlayerPlugin_*.exe case, there's no warning.
Also I wonder, can I use wildcard ('*' and maybe '?') when I add other programs too?

 

Yes, you can use wildcards (*) in your custom shields.

 

I'm back on MBAE Premium, after testing HMPA. This is a bit of nitpicking, but can it be true that MBAE causes a minor start-up delay of apps that get loaded by Sandboxie? Because it's trying to inject into those apps, while it can't? So I was thinking, perhaps it's an option to make MBAE ignore protected apps when they run inside "C:\Sandbox".

 

Thanks, it's convenient!

 

I don't know, tho MBAE adds quite a bit of delay in opening browser unsandboxed, it's neglectable and I also don't notice delay in opening sandboxed firefox. I haven't applied MBAE template so far and mbae.dll is not loaded.

 

Any News of a new beta coming anytime soon?

feandur

 

I say if it ain't broke...don't fix it!

 

Bugs will always exist and mitigations can always be improved

 

I think it might be my imagination, or perhaps I'm too sensitive about this stuff. But I have to say that I see almost no delay at all with protected apps (not running sandboxed), so the MBAE developers have done a great job.

 

Yep, I agree with you, can't "sense" any delay in any sandboxed/unsandboxed apps even I'm using a Celeron processor.

 

ZVL, MBAE and Firefox 36.0 don't go together on Windows XP Professional service pack 2. For example, when MBAE shield/protection for Firefox 36.0 is activated/active, Mozilla Firefox 36.0 cannot connect on the internet, while my other web-browsers like Internet Explorer and Google Chrome normally connect on the internet.
Every time I disable MBAE shield/protection for Mozilla Firefox 36.0, Mozilla Firefox 36.0 normally connects on the internet-I truly don't know if this is MBAE's fault or it is Mozilla Firefox's fault (Mozilla Firefox, newest version 36.0), for these incompatibility issues.

 

Tried Firefox 36 on XP SP3 and it works and connects to the Internet correctly. Can you test with SP3 instead of SP2?

Edit: MBAE minimum requirements is XP SP3.

 

It doesn't make any sense, first I couldn't update and run Firefox 36 in sp3, than I went back to service pack 2, than I installed firefox 36.0 succesfully (on service pack 2), but than I couldn't surf the net on Firefox 36.0 before I didn't deactivate shield.
It doesn't make any sense that MBAE does not work on service pack 2, if MBAE does actually work and shield/protect Google Chrome (newest version) and Internet Explorer 8 (at least on my computer).

 

It doesn't make sense that you are running Windows XP SP2 while support for SP2 was dropped 4.5 years ago (July 13 2010).
I can understand that you're not able to upgrade from Windows XP to windows 8 or Ubuntu for example, but don't blame MBAE for not working on a platform that has lost support ages ago.
(BTW, HMPA and EMET 4.1 also require at least Win XP sp3)

 

How exactly is it running just fine on my windows xp service pack 2 except for Mozilla Firefox?
Heck, even Office, Sumatra documents are also protected by MBAE, it doesn't make any sense, it shouldn't be working at all with anything at all, but yet it does.

 

In regards to the minimum requirements, it is not because of whether MBAE works or not. It is simply to draw a line in the sand as to what we consider official vs unonfficial support. In fact it would probably also work under Windows 2000 if we enabled that. Also we have some code within MBAE that's not necessarily related to the core exploit mitigation capabilities which require some components only available since XP SP3.

But aside from that, if there is a problem clearly we will take a look at it. However as I said I haven't been able to replicate it. FF 36 and 37 work for me.

Has anybody else experienced the issue?

 

Works fine on XP32 SP3 here. No problem with Firefox 36.

 

It really does not matter, I came back to windows xp service pack 3 (just in case, I don0t want to cause some conflicts, because I don't have time anymore for fixing it), but Firefox issue on windows xp service pack 3 has nothing to do with MBAE, it says that my file kernel32.dll is missing, but it is not, I checked and double checked and I still can't open Firefox 36, so I decided to install ESR 31.05 version.

 

@ZeroVulnLabs There is a video in Trapmine channel, which shows MBAE not protecting IE against CVE-2014-6332. Maybe you can fix this ?

 

I've seen that video some time ago, but I deliberately didn't post a link on Winders Security simply because their methods of 'testing' is wrong. They seem to use the first freely available PoC of CVE-2014-6332 which just launches notepad.exe. So it is not a 'real' attack, otherwise an executable would have been downloaded and executed using PowerShell for example.

I have to admit that I haven't yet tested MBAE or HMPA with for example CVE-2014-6332, but at least I do not agree with the methods of 'proving' that TrapMine works just by running the notepad.exe command locally.

TrapMine also posted a video in which its product was compared to EMET 5 using a vulnerability in Adobe Reader 9.0. EMET appeared to be fully functional but a bypass was possible. I suspect that they used a logic flaw in Adobe Reader 9 which has been patched by Adobe back in 2010. (I can't find the correct CVE that quickly)

 

@regenpijp is correct, it is not the same to launch an existing file from the system than creating or downloading and executing something from the Internet.

I am interested in the other videos you mention about the Firefox logic flaws. If posting youtube links is against forum policy could you please PM them to me?

 

Thanks for the two links to the Firefox demo.

In the interest of being open I will reply here instead of PM so that others can see our response to these two videos. They were reported to us originally by Claes, the one who blogged about it and posted the two videos. The following was our response to him:

1. The first issue is a design error within Firefox (CVE-2014-1510 & CVE-2014-1511 as implemented in Metasploit exploit/multi/browser/firefox_webidl_injection). It does not exploit any memory corruption vulnerabilities and has already been fixed by Mozilla about a year ago since Firefox version 27. If this were IE or any other application that doesn’t update automatically we’d probably add protection for it, but seeing how (1) there is no memory corruption vulnerability and (2) has been fixed a year ago, we’re not going to add protection for this. However we’ll keep an eye on the issue to see if there are any other potential exploitable conditions in the latest Firefox versions.

2. As for the second issue with the bootstrap.js XPI installer/container, it is really just a malicious plugin and not an exploit. It is not making use of any vulnerabilities to execute the payload, so it is outside the scope of the Anti-Exploit protection design. This falls more under a social engineering type of scenario where you would have to fool the user into installing a rogue plugin. The type of products typically tasked with detecting and disinfecting rogue or malicious browser plugins are normally Anti-Malware products.

 

Hi Pedro.
Probably more Critical Vulnerability fixed on firefox 36 (CVE-2015-0835/0836):

https://www.mozilla.org/en-US/security/advisories/mfsa2015-11/

MBAE would protect?
TH.